Statutory Boards Agencies × Compliance — International / Multilateral · Last updated 26 May 2026 · methodology v2.1 · Hallucination Register

Misattributed source for a CPMI strategic phrase

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014

AI's failure:Misattributed Risk for Statutory Boards Agencies × Compliance:Wrong deliverable on cybersecurity framework alignment

What the RLB Specialist Panel found

1. Misattributed source for a CPMI strategic phrase

Question (paraphrased to protect IP): Does the CPMI-IOSCO 2016 Cyber Guidance contain the phrase 'secure the periphery, protect the core', and if not, where does it originate?
Source regulation: Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016)
What AI assistants typically say: The AI tool correctly states that the phrase does not appear in the 2016 guidance, but then misidentifies the origin — attributing it to a CPMI document on reducing the risk of wholesale payments fraud related to endpoint security, rather than to the speech in which it actually appeared.
What the regulator actually says: The phrase 'secure the periphery and protect the core' originates in a 2018 speech by a senior CPMI official (published as BIS Review r181115a), which describes the CPMI's strategic approach but is entirely separate from the 2016 guidance document.
Why the AI went wrong: The AI identified related CPMI material from approximately the same period and substituted a plausible-sounding document for the actual source — a cross-reference error that is easy to miss because the misidentified document is genuine and thematically adjacent.
Cited source(s): Regulator portal: https://www.bis.org

Impact for Compliance Teams in Statutory Boards & Agencies Sector in international jurisdictions working with the Guidance on Cyber Resilience for Financial Market Infrastructures (CPMI-IOSCO 2016)

For Compliance teams at Statutory Boards & Agencies, attributing 'secure the periphery, protect the core' to the 2016 guidance or to a 2018 fraud paper places a regulator strategic frame inside the deliverable with the wrong source attribution. The phrase is from a 2018 speech, not a guidance document. A control narrative, board paper, or training pack that rests on the wrong attribution carries direct review exposure as soon as the citation is tested.

References — raw findings (per AI model)

RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014-Opus47 Claude Opus 4.7 (web search on)
RLB-H-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014-Sonnet46 Claude Sonnet 4.6 (web search on)

This finding also affects

Next finding → Overconfident alignment claim between the 2016 guidance and the 2018 FSB Cyber Lexicon

Cite this finding

Each finding has a stable Citation ID (RLB-F-… for aggregated case-study findings, RLB-H-… for raw per-model hallucinations) — like a DOI, the ID always resolves to the canonical finding even if URLs change.

RLB Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014

Plain text Download

RegLeg Specialist Panel (2026). "Misattributed source for a CPMI strategic phrase — Statutory Boards Agencies × Compliance — International / Multilateral." Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014. RegLegBrief AI Hallucination Research, published 2026-05-26. https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/sectors/statutory_boards_agencies/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-014/

APA 7th edition Download

RegLeg Specialist Panel. (2026). Misattributed source for a CPMI strategic phrase [Hallucination finding RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014]. RegLegBrief AI Hallucination Research. https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/sectors/statutory_boards_agencies/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-014/

Bluebook / OSCOLA (US + UK legal) Download

RegLeg Specialist Panel, Misattributed source for a CPMI strategic phrase [RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014], RegLegBrief AI Hallucination Research (May 26, 2026), https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/sectors/statutory_boards_agencies/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-014/.

BibTeX Download

@misc{reglegbrief_RLB_F_INT_BIS_CPMI_IOSCO_CYBER_RESILIENCE_FMI_2016_Q014,
  author    = {RegLeg Specialist Panel},
  title     = {Misattributed source for a CPMI strategic phrase},
  year      = {2026},
  publisher = {RegLegBrief AI Hallucination Research},
  note      = {Hallucination finding Citation ID: RLB-F-INT-BIS-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-Q014},
  url       = {https://reglegbrief.com/regulators/j1/INT/BIS-CPMI/CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016/sectors/statutory_boards_agencies/compliance/finding/INT-BIS-CPMI-INT-001-CPMI-IOSCO-CYBER-RESILIENCE-FMI-2016-v1-014/}
}

← Back to case study summary Case study detail →

About Citation IDs →

Every finding on this page compares an AI subject's account of the rule against the regulator's verbatim text from the regulator's own portal. Both are linked. Each delta, its root causes, and impact analysis are documented and published with immutable Citation IDs.